Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
4. Access Control<br />
These Assessment and Planning Non-Mandatory Procedures support the Enterprise Security<br />
<strong>Policy</strong> (ITEC 7230 Rev 1).<br />
Mandatory<br />
Non-Mandatory<br />
Procedures Baselines Procedures Baselines<br />
4. Access Control <br />
4.1. Identification and Authentication<br />
4.1.1. Manage Identification and Authentication (6 sets) (4 sets)<br />
4.2. Account Management<br />
4.2.1. Configure User Accounts (4 sets) (2 sets)<br />
4.3. Session Management<br />
4.3.1. Configure Systems for Secure Access (6 sets) (3 sets)<br />
4.3.2. Configure Systems for Secure Communications (3 sets) (1 set)<br />
4.4. Maintain Records <br />
4.1. Identification and Authentication<br />
No applicable Non-Mandatory Procedures.<br />
4.2. Account Management<br />
The following are the Non-Mandatory Procedures that support the Account<br />
Management section <strong>of</strong> the Default Security Requirements:<br />
4.2.1. Configure User Accounts<br />
Agencies should establish the system accounts that will be used to access<br />
system in a manner that promotes and enhances security while maintaining<br />
business functionality:<br />
4.2.1.1 Create User Accounts to Optimize Security<br />
Users must be provided accounts for all systems that they require<br />
access to however those accounts must be created in a manner that<br />
enhances and enforces organizational security requirements:<br />
• Accounts must be created with the minimal set <strong>of</strong> permissions<br />
(also know as least privilege) as required by positional role.<br />
• Accounts must be created with the minimal set <strong>of</strong><br />
responsibilities (also known as job segregation) as required by<br />
positional role.<br />
• Accounts must be configured to require the use <strong>of</strong> unique<br />
identifiers and authenticators.<br />
• Accounts must be configured to enforce system lockout in the<br />
event <strong>of</strong> failed authentication.<br />
7